我似乎无法通过snort来停止记录到syslog(特别是auth.log)。据我所知,它似乎表现得好像我在配置中使用-s参数或output alert_syslog: LOG_AUTH LOG_ALERT运行。
我正在运行使用./configure --enable-reload编译的snort 2.9.7.0,除非有一些隐藏的选项我没有丢失,否则我告诉它将merged.log记录为unified2 ,没别的地方。
snort@snort:~$ ps -ef | grep snort
snort 7524 1 1 18:15 ? 00:00:00 /usr/bin/snort -c /etc/snort/snort.conf -i bond0.566 -l /var/log/snort/bond0.566 -D
snort@snort:~$ grep -R '^output' /etc/snort
/etc/snort/snort.conf:output unified2: filename merged.log, limit 128, mpls_event_types, vlan_event_types
以下是我看到的一些日志
snort@snort:~$ tail -n 10 /var/log/auth.log
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [119:31:1] http_inspect: UNKNOWN METHOD [Classification: Unknown Traffic] [Priority: 3]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:32271 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:56534 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:5:1] stream5: Bad segment, overlap adjusted size less than/equal 0 [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:53271 -> xxx.xxx.xxx.xxx:443
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
Feb 10 18:31:15 snort.example.com snort[32353]: [129:12:1] stream5: TCP Small Segment Threshold Exceeded [Classification: Potentially Bad Traffic] [Priority: 2]: <bond0.566> {TCP} xxx.xxx.xxx.xxx:2443 -> xxx.xxx.xxx.xxx:80
这些警报中的大多数都是垃圾,我稍后会过滤掉,警报本身并不会让我烦恼,困扰我的是他们要使用auth.log而我无法弄清楚原因。
答案 0 :(得分:0)
我会检查以确保snort实际上是生成这些日志的负责过程。我已经看到了barnyard2出现在日志中的情况,好像是在snort生成日志,这会让任何人失望。在/etc/barnyard2.conf中,或者你的配置文件是什么,你可能会看到一条告诉你向syslog发送警报的行,就像这样:
output alert_syslog: LOG_AUTH LOG_INFO
您想要编辑该行,以便barnyard2记录您希望的内容。